Win32/Botnet.generic TCP Port Scan attack local network

[kaboomcanuck 0]

Hi,

 

Hoping someone out there will be able to help provide additional information to help track down if these reports are malicious or false positives. Recently we've been getting this notification (TCP Port Scan attack Win32/Botnet.generic). We've looked at one of the machines with process explorer and also checked open network activities and did not spot anything out of the ordinary and there were no known hits from virustotal either on any currently open processes. ESET did not report an application. 

 

The ports being used are mostly consistent and do not align with any known applications on our send. Ports are

7000

660

5985

5986

 

The last two there I know are used by WinRM2.0 which is being used on a Hyper-V server we have but the IPS computer source and destination reported by ESET are not related to this machine.

 

ESET itself is showing all of these as "resolved" as it was blocked and the number of occurrences each time is 1 or 2. All systems show no active alerts on ESET and everything seems to be running okay.

 

I have contacted ESET business support directly as well but have not heard back - any information that may be able to help us identify this would be greatly appreciated! 

[Marcos 4,841]

I assume the question is not whether the detection is correct or if it's a false positive but you want to identify the process that generates port scans on particular machines? Did you run "netstat -abo -p TCP" and try to find a suspicious process in the list?

You can also provide logs for perusal:
1, Enable advanced network protection logging under Tools -> Diagnostics before a port scan occurs (shortly before port scan detection occurs)
2, After port scan detection disable logging
3, Collect logs with ESET Log Collector and upload the generated archive here.

[itman 1,595]

22 hours ago, kaboomcanuck said:

but the IPS computer source and destination reported by ESET are not related to this machine.

This is expected when IDS protection is detecting TCP port scan. The attack is being done from device/s external to the local subnet.

Do you have a network perimeter firewall/etc. appliance installed? It should be blocking this type of external network traffic from being passed to the local subnet.

Ditto for just a router protecting the local subnet. Most have a firewall/IDS that blocks this type port scanning network traffic.

[JamesR 50]

@kaboomcanuck Unfortunately your description of the issue does not allow us to identify the source of the TCP Port Scan (Win32/Botnet.generic) detections.  This means we cannot yet state if these are being performed by an internal or external IP Address.  The best way for us to see what was detected, would be to gather ESET Log Collector logs and provide them to us.

At a minimum, please perform step 3 of Marcos' steps.

5 hours ago, Marcos said:

1, Enable advanced network protection logging under Tools -> Diagnostics before a port scan occurs (shortly before port scan detection occurs)
2, After port scan detection disable logging
3, Collect logs with ESET Log Collector and upload the generated archive here.

If the source IPs are public IP addresses, and the local ports are not needed to be exposed to the internet, you should close off these ports from the internet (disable port forwarding, place device behind a NAT/Firewall, etc).  Any services that can be used to administer a network, should not be exposed to all public IPs on the internet and should be restricted to only IPs which are trusted and allowed to connect.  It would be best to block any and all public IPs to administrative services/ports and only allow access to these via private IPs and/or a VPN.

 

If the source IPs are private IPs, you will need to locate the devices with these private IPs and identify if they are devices intended to be performing port scans of the network.  If they are not intended to be performing port scans, you will want to ensure endpoint protection is installed and any AV scans have been performed to help rule out malware as the cause.  Keep in mind that some software will actively scan a network to identify other devices and that it may not be malware performing the TCP Port scans.

[pstoric 0]

Did you ever figure this out? I'm seeing something similar

[Marcos 4,841]

We haven't been provided logs yet as requested above.

[itman 1,595]

Another thing to note here is Eset IDS protection can detect non-specific port scanning activities and will display an alert as shown in this knowledge base article: https://support.eset.com/en/kb2951-resolve-detected-port-scanning-attack-notifications .

However in regards to this posting, Eset appears to be detecting port scanning related to botnet activity and alerting as such. This leads me to believe that Eset Botnet protection was the primary activity detector. Related article: https://support.eset.com/en/kb7487-resolve-the-incomingattackgeneric-or-botnetcncgeneric-network-protection-alert .

Edited September 7 by itman